From 2b8786b8b60d2c846e202db8889ce155d5421f06 Mon Sep 17 00:00:00 2001 From: Andy Loughran Date: Mon, 15 Sep 2025 19:37:16 +0100 Subject: [PATCH 1/5] Updated to add github attestation to all binaries --- .github/workflows/publish-layer-collector.yml | 9 +++++++++ .github/workflows/release-layer-collector.yml | 6 ++++++ .github/workflows/release-layer-java.yml | 9 +++++++++ .github/workflows/release-layer-nodejs.yml | 4 ++++ .github/workflows/release-layer-python.yml | 5 +++++ .github/workflows/release-layer-ruby.yml | 5 +++++ 6 files changed, 38 insertions(+) diff --git a/.github/workflows/publish-layer-collector.yml b/.github/workflows/publish-layer-collector.yml index 5fd3f2e20c..b9e585c414 100644 --- a/.github/workflows/publish-layer-collector.yml +++ b/.github/workflows/publish-layer-collector.yml @@ -47,9 +47,14 @@ on: description: 'Build tags to customize collector build' required: false type: string + codesigning-profile: + description: 'The AWS Signing Profile for the layers' + required: false + type: string permissions: contents: read + attestations: write jobs: prepare-build-jobs: @@ -89,6 +94,10 @@ jobs: fi echo "Build tags: $BUILDTAGS" make -C collector package GOARCH=${{ matrix.architecture }} BUILDTAGS=$BUILDTAGS + - name: Generate artifact attestation + uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a #v3.0.0 + with: + subject-path: ${{ github.workspace }}/collector/build/opentelemetry-collector-layer-${{ matrix.architecture }}.zip - name: Upload Collector Artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: diff --git a/.github/workflows/release-layer-collector.yml b/.github/workflows/release-layer-collector.yml index e307dc7f51..fbd3bb3ee5 100644 --- a/.github/workflows/release-layer-collector.yml +++ b/.github/workflows/release-layer-collector.yml @@ -39,6 +39,12 @@ jobs: go-version-file: collector/go.mod - name: build run: make -C collector package GOARCH=${{ matrix.architecture }} + + - name: Generate artifact attestation + uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a #v3.0.0 + with: + subject-path: ${{ github.workspace }}/collector/build/opentelemetry-collector-layer-${{ matrix.architecture }}.zip + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: opentelemetry-collector-layer-${{ matrix.architecture }}.zip diff --git a/.github/workflows/release-layer-java.yml b/.github/workflows/release-layer-java.yml index e967410e33..83716c0c9d 100644 --- a/.github/workflows/release-layer-java.yml +++ b/.github/workflows/release-layer-java.yml @@ -44,12 +44,21 @@ jobs: cd java ./gradlew :layer-javaagent:assemble :layer-wrapper:assemble --scan --stacktrace + - name: Generate artifact attestation for javaagent + uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a #v3.0.0 + with: + subject-path: java/layer-javaagent/build/distributions/opentelemetry-javaagent-layer.zip + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 name: Save javaagent layer to build with: name: opentelemetry-javaagent-layer.zip path: java/layer-javaagent/build/distributions/opentelemetry-javaagent-layer.zip + - name: Generate artifact attestation for javawrapper + uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a #v3.0.0 + with: + subject-path: java/layer-wrapper/build/distributions/opentelemetry-javawrapper-layer.zip - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 name: Save javawrapper layer to build with: diff --git a/.github/workflows/release-layer-nodejs.yml b/.github/workflows/release-layer-nodejs.yml index f64f7adfd3..82ae987ea1 100644 --- a/.github/workflows/release-layer-nodejs.yml +++ b/.github/workflows/release-layer-nodejs.yml @@ -51,6 +51,10 @@ jobs: run: mv layer.zip opentelemetry-nodejs-layer.zip working-directory: nodejs/packages/layer/build + - name: Generate artifact attestation for nodejs-layer + uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a #v3.0.0 + with: + subject-path: nodejs/packages/layer/build/opentelemetry-nodejs-layer.zip - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 name: Save assembled layer to build with: diff --git a/.github/workflows/release-layer-python.yml b/.github/workflows/release-layer-python.yml index 64f132e391..3512a5a526 100644 --- a/.github/workflows/release-layer-python.yml +++ b/.github/workflows/release-layer-python.yml @@ -57,6 +57,11 @@ jobs: run: | ls -al working-directory: python/src/build + + - name: Generate artifact attestation for python-layer + uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a #v3.0.0 + with: + subject-path: python/src/build/opentelemetry-python-layer.zip - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 name: Save assembled layer to build diff --git a/.github/workflows/release-layer-ruby.yml b/.github/workflows/release-layer-ruby.yml index 472f634657..df470895a1 100644 --- a/.github/workflows/release-layer-ruby.yml +++ b/.github/workflows/release-layer-ruby.yml @@ -50,6 +50,11 @@ jobs: ls -al working-directory: ruby/src/build + + - name: Generate artifact attestation for ruby-layer + uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a #v3.0.0 + with: + subject-path: ruby/src/build/opentelemetry-ruby-layer.zip - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 name: Save assembled layer to build with: From d7691d2ce12a3d57e7740671dee4bfc46443afdd Mon Sep 17 00:00:00 2001 From: Andy Loughran Date: Mon, 15 Sep 2025 20:38:17 +0100 Subject: [PATCH 2/5] Updated attestations --- .github/workflows/publish-layer-collector.yml | 5 ++++- .github/workflows/release-layer-collector.yml | 2 ++ .github/workflows/release-layer-java.yml | 2 ++ .github/workflows/release-layer-nodejs.yml | 2 ++ .github/workflows/release-layer-ruby.yml | 2 ++ 5 files changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/publish-layer-collector.yml b/.github/workflows/publish-layer-collector.yml index b9e585c414..a7e0858ad4 100644 --- a/.github/workflows/publish-layer-collector.yml +++ b/.github/workflows/publish-layer-collector.yml @@ -54,7 +54,6 @@ on: permissions: contents: read - attestations: write jobs: prepare-build-jobs: @@ -75,6 +74,10 @@ jobs: build-layer: needs: prepare-build-jobs runs-on: ubuntu-latest + permissions: + id-token: write + contents: write + attestations: write strategy: matrix: ${{ fromJSON(needs.prepare-build-jobs.outputs.build_jobs) }} steps: diff --git a/.github/workflows/release-layer-collector.yml b/.github/workflows/release-layer-collector.yml index fbd3bb3ee5..3109450853 100644 --- a/.github/workflows/release-layer-collector.yml +++ b/.github/workflows/release-layer-collector.yml @@ -22,7 +22,9 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} build-layer: permissions: + id-token: write contents: write + attestations: write runs-on: ubuntu-latest needs: create-release strategy: diff --git a/.github/workflows/release-layer-java.yml b/.github/workflows/release-layer-java.yml index 83716c0c9d..c00a3b5bc8 100644 --- a/.github/workflows/release-layer-java.yml +++ b/.github/workflows/release-layer-java.yml @@ -22,7 +22,9 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} build-layer: permissions: + id-token: write contents: write + attestations: write runs-on: ubuntu-latest needs: create-release outputs: diff --git a/.github/workflows/release-layer-nodejs.yml b/.github/workflows/release-layer-nodejs.yml index 82ae987ea1..12d3d8accf 100644 --- a/.github/workflows/release-layer-nodejs.yml +++ b/.github/workflows/release-layer-nodejs.yml @@ -22,7 +22,9 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} build-layer: permissions: + id-token: write contents: write + attestations: write runs-on: ubuntu-latest needs: create-release outputs: diff --git a/.github/workflows/release-layer-ruby.yml b/.github/workflows/release-layer-ruby.yml index df470895a1..5dc8c6079e 100644 --- a/.github/workflows/release-layer-ruby.yml +++ b/.github/workflows/release-layer-ruby.yml @@ -22,7 +22,9 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} build-layer: permissions: + id-token: write contents: write + attestations: write runs-on: ubuntu-latest needs: create-release outputs: From f6cf1c7140af429d38b9dbd7506f377e1ed05cf2 Mon Sep 17 00:00:00 2001 From: Andy Loughran Date: Mon, 15 Sep 2025 21:07:31 +0100 Subject: [PATCH 3/5] Update publish-layer-collector.yml From eb4b1bf937e7828224196ecb43882be603446da5 Mon Sep 17 00:00:00 2001 From: Andy Loughran Date: Mon, 15 Sep 2025 21:25:46 +0100 Subject: [PATCH 4/5] Removed codesigning config --- .github/workflows/publish-layer-collector.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/publish-layer-collector.yml b/.github/workflows/publish-layer-collector.yml index a7e0858ad4..4f5da51d9f 100644 --- a/.github/workflows/publish-layer-collector.yml +++ b/.github/workflows/publish-layer-collector.yml @@ -47,11 +47,7 @@ on: description: 'Build tags to customize collector build' required: false type: string - codesigning-profile: - description: 'The AWS Signing Profile for the layers' - required: false - type: string - + permissions: contents: read From ee42775eadb748a75ea7b858fa8c70ddbeb8a96d Mon Sep 17 00:00:00 2001 From: Andy Loughran Date: Mon, 15 Sep 2025 21:34:26 +0100 Subject: [PATCH 5/5] added python permissions --- .github/workflows/release-layer-python.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/release-layer-python.yml b/.github/workflows/release-layer-python.yml index 3512a5a526..dc048ebd8b 100644 --- a/.github/workflows/release-layer-python.yml +++ b/.github/workflows/release-layer-python.yml @@ -22,7 +22,9 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} build-layer: permissions: + id-token: write contents: write + attestations: write runs-on: ubuntu-latest needs: create-release outputs: